General
-
Target
59c39e77c1aa947761edf957d79390c8_JaffaCakes118
-
Size
664KB
-
Sample
241018-241g4stbqe
-
MD5
59c39e77c1aa947761edf957d79390c8
-
SHA1
d17bf1a2587b20fc6dbab6d8c4eaed0c14054178
-
SHA256
66664b8805b5a084925ac565d2a96dafdf9bbae63020623625d542d7a0131072
-
SHA512
c30dcff0498c902c8ce4666562f7a09351db6b13f70a2c814b5ac40c1fb17bb624773df5c8c6939ba2f2355377c1abe32ace383babeec153d4122aba4e230262
-
SSDEEP
12288:B05Rq34RNtJRbdbRrBERq34RNtJRbdbR:uRc4RNtJRbdFrGRc4RNtJRbdF
Static task
static1
Behavioral task
behavioral1
Sample
59c39e77c1aa947761edf957d79390c8_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
59c39e77c1aa947761edf957d79390c8_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Malware Config
Extracted
xtremerat
amir.no-ip.info
amir1.no-ip.info
Targets
-
-
Target
59c39e77c1aa947761edf957d79390c8_JaffaCakes118
-
Size
664KB
-
MD5
59c39e77c1aa947761edf957d79390c8
-
SHA1
d17bf1a2587b20fc6dbab6d8c4eaed0c14054178
-
SHA256
66664b8805b5a084925ac565d2a96dafdf9bbae63020623625d542d7a0131072
-
SHA512
c30dcff0498c902c8ce4666562f7a09351db6b13f70a2c814b5ac40c1fb17bb624773df5c8c6939ba2f2355377c1abe32ace383babeec153d4122aba4e230262
-
SSDEEP
12288:B05Rq34RNtJRbdbRrBERq34RNtJRbdbR:uRc4RNtJRbdFrGRc4RNtJRbdF
Score10/10-
Detect XtremeRAT payload
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1